Authentication
Authenticate backend API calls and securely open ASC Editor Plugin for end users.
ASC Editor Plugin uses two authentication layers:
- Console authentication for your team members who log in to the Platform Console.
- API authentication for your backend when it creates End User sessions and opens the editor.
This page focuses on API authentication.
Base API URL
https://api.aurorasendcloud.com/editor-plugin/Authentication layers
| Layer | Used by | Purpose |
|---|---|---|
| Console authentication | Your team | Log in, manage Applications, configure API keys, set Push URLs, manage teammates, and view usage. |
| Application API authentication | Your backend | Create or refresh End User tokens and manage email records. |
| End User token authentication | Your backend | Generate temporary codes and call End User-scoped email APIs. |
| Temporary code | Your frontend | Open one editor session without exposing backend credentials. |
Application API key
Each Application has its own API keys.
Create an API key from:
Application -> Editor API -> API KeysWhen you create a key, copy it immediately. The key is shown only once.
Use the Application ID and API key from your backend only. Do not expose the API key in frontend code.
Application-level API authentication
Application-level calls use Basic Auth.
Authorization: Basic base64(YOUR_APPLICATION_ID:YOUR_API_KEY)Use this authentication when calling the endpoint that creates or refreshes an End User token.
Create or refresh an End User token
Before an End User can open the editor, your backend creates or refreshes a token for that End User.
curl -X POST https://api.aurorasendcloud.com/editor-plugin/access/token \
-H "Authorization: Basic $(echo -n 'YOUR_APPLICATION_ID:YOUR_API_KEY' | base64)" \
-H "Content-Type: application/json" \
-d '{
"id": "user_12345",
"name": "Jane Doe",
"email": "[email protected]"
}'Response:
{
"data": {
"token": "eyJhbGciOiJIUzI1NiIs...",
"expireTime": "2026-06-09T10:30:00Z",
"userId": "user_12345"
},
"message": "success",
"success": true,
"code": 200
}The id is your external identifier for the End User. It must be unique within the Application.
End User token authentication
After your backend receives an End User token, use it as a Bearer token for End User-scoped calls.
Authorization: Bearer END_USER_TOKENUse this authentication to:
- Generate a temporary code.
- Create an email.
- Get, update, delete, or copy an email owned by that End User.
Generate a temporary code
The End User token should stay on your backend. To open the editor from the browser, exchange the token for a short-lived temporary code.
curl -X POST https://api.aurorasendcloud.com/editor-plugin/access/code \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
-H "Content-Type: application/json"Response:
{
"data": {
"code": "tmp_a8f3c2d1e4..."
},
"message": "success",
"success": true,
"code": 200
}Temporary codes are:
| Property | Value |
|---|---|
| Lifetime | 5 minutes |
| Usage | Single-use |
| Scope | One End User editor session |
| Frontend-safe | Yes, because the code is short-lived and cannot replace backend credentials |
Authentication flow
End User
-> Your frontend asks your backend to open the editor
Your backend
-> POST /access/token with Application ID + API key
<- End User token
Your backend
-> POST /access/code with End User token
<- Temporary code
Your frontend
-> Opens editor with temporary code and email IDSecurity best practices
- Store API keys in environment variables or a secrets manager.
- Keep Application API keys and End User tokens on your backend.
- Pass only temporary codes to the frontend.
- Generate a new temporary code each time the editor opens.
- Use HTTPS for all API calls and Push URL callbacks.
- Rotate the API key if it may have been exposed.
Updated 6 days ago